Whenever there's an issue with a policy that uses Indexed Document Matching (IDM) detection rules, one of the possible reasons may be that the IDM index generated on Enforce has not been successfully deployed to the Detection Server that should be generating the incident.
There are a couple of ways to check if the IDM index has been properly pushed out to the detection server. Follow the steps below:
Log in to Enforce and go to the Manage -> Data Profiles - Indexed Documents.
Click on the gray arrow on the left to the index name. This should show you all detection servers and the current status of the index on these servers. The status should be "Completed" with a date of when the index has been successfully pushed out to the server. If the deployment of the index failed, you will see that in the status.
You can also check if the index exists directly on the detection server that should have it by going to the server and checking the path \SymantecDLP\Protect\index. Look for a file named DocSource.someNumber.version.rdx - someNumber is the same number as the one you wrote down in point 2, while version is the version number of the index. If the file is not present, it means the index has not been successfully deployed.
If the index has not been deployed to one or more detection servers, click on the Retry button placed where the document profile in the Indexed Documents section on Enforce is.
Subscribing will provide email updates when this Article is updated. Login is required.